Back to blog
JavaSpringCVE

Java and Spring4Shell: what CVE-2022-22965 really taught Spring teams

Published on 2026-04-116 min readFlorian

Spring4Shell was not a second Log4Shell

CVE-2022-22965 was quickly branded Spring4Shell. The comparison helped people pay attention, but it also blurred the technical reality. Spring was explicit in its official advisory: the public exploit conditions involved Spring MVC or Spring WebFlux on JDK 9+, deployed as a WAR on Tomcat. A standard Spring Boot executable jar was not vulnerable to that reference exploit path.

Why the flaw still matters

It remains one of the most important vulnerabilities in the Spring ecosystem because it reminded teams that even a mature framework can become critical when several seemingly ordinary deployment conditions combine.

Spring documented the affected versions and recommended upgrades to 5.3.18+ or 5.2.20+.

What this exposed

The real lesson was not just a coding mistake. It was the gap between what teams think they deploy and what they actually deploy. Many organizations said we are on Spring Boot so we are fine, without checking whether older applications were still packaged as WAR files behind Tomcat.

Spring4Shell therefore exposed a classic large-Java risk: heterogeneity. Inside one company, the label Spring can cover very different packaging and runtime models.

What Spring teams should verify in 2026

  • the exact framework branch in production;
  • the real packaging model;
  • the servlet container in use;
  • legacy applications that do not follow the standard Spring Boot path;
  • the ability to patch quickly without waiting for a large migration project.

    • Our view

    If Log4Shell is the symbolic Java dependency flaw, Spring4Shell is the symbolic flaw of architectural assumptions. It reminds teams that a modern stack is not just the framework name. It is a combination of versions, packaging, runtime, and deployment habits.

    Saying we use Spring says very little about risk. Saying we use this branch, packaged this way, on this runtime, with this patch process says much more.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    JavaLog4j

    Java and Log4Shell: why CVE-2021-44228 remains the reference flaw

    Log4Shell showed how a single Java library could become a systemic risk. Here is why CVE-2021-44228 still remains the reference flaw for the Java ecosystem.

    2026-04-11 · 7 min read
    JavaStruts

    Java and Apache Struts: why CVE-2017-5638 is still a textbook case

    CVE-2017-5638 remains one of the clearest textbook cases in the Java web ecosystem. Here is why the 2017 Struts flaw still matters in 2026.

    2026-04-11 · 6 min read
    JavaConfluence

    Java and Confluence: why CVE-2023-22515 forced urgent action

    CVE-2023-22515 allowed unauthorized administrator account creation on exposed Confluence instances. Here is why this Java flaw forced urgent action.

    2026-04-11 · 6 min read

    Sources

    Written by Florian
    Reviewed on 2026-04-11

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Ongoing Review

    Track new exposure as your stack changes over time.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit